FIM System tests: 0203 Whodata Scenario

tests/system/fim/common_tasks/verify_alerts_elasticsearch.py

@@ -75,6 +75,10 @@ def makeQuery(query, Elastic, index_name):
         "-s", "--sleep", type=int, required=False, dest='sleep_time',
         help="Sleep time between retries", default="60"
     )
+    parser.add_argument(
+        "-w", "--whodata", type=bool, required=False, dest='whodata_query',
+        help="Enable whodata queries", default="False"
+    )
     args = parser.parse_args()
 
     query = {
@@ -101,13 +105,33 @@ def makeQuery(query, Elastic, index_name):
             for line in file_list:
                 query['query']['bool']['filter'][0]['term']['syscheck.path'] =\
                     line.rstrip()
+                try:
+                    query_result = makeQuery(query, es, index_name)
+                    print(query_result)
+                except Exception as e:
+                    logging.info("Error when making the  Query of " + str(args.whodata_query))
+                    raise e
 
-                query_result = makeQuery(query, es, index_name)
-                if query_result['hits']['total']['value'] == 1:
-                    success += 1
+                if (args.whodata_query):
+                    try:
+                        if (query_result['hits']['hits'][0]['_source']['syscheck']['audit']['process']['name'] in query_result):
+                            success +=1
+                    except IndexError:
+                        failure_list.append(line)
+                        failure += 1
+                    except Exception as e:
+                        logging.info("Error when filtering audit fields in alert " + line.rstrip())
+                        raise e
                 else:
-                    failure_list.append(line)
-                    failure += 1
+                    try:
+                        if query_result['hits']['total']['value'] == 1:
+                            success += 1
+                    except IndexError:
+                        failure_list.append(line)
+                        failure += 1
+                    except Exception as e:
+                        logging.info("Error when filtering syscheck alerts hits of " + line.rstrip())
+                        raise e
             if failure == 0:
                 break
             else:
@@ -131,4 +155,4 @@ def makeQuery(query, Elastic, index_name):
         "Number of succeded files: {}\n Elapsed time: ~ {} seconds.".format(
             success, elapsed
         )
-    )
+    )

tests/system/fim/common_tasks/verify_alerts_json.py

@@ -46,11 +46,36 @@ def alerts_prune(path, target_event):
                 data = json.loads(line)
                 if data.get('syscheck') and data['syscheck']['event'] == target_event:
                     alerts_list.append(data)
-                    
+
             except ValueError:
                 continue
     return set([alerts['syscheck']['path'] for alerts in alerts_list])
 
+def alerts_prune_whodata(path, target_event):
+    """
+        Prunes desired whodata events from the alert.json file.
+        Extracts all events path to a set.
+        :param str path: path to alerts.json file
+        :param str target_event: target event kind (deleted|added|modified)
+        :return: Returns a set containing the alerts files path
+    """
+    alerts_list = []
+    with open(path,errors='replace') as json_file:
+        for line in json_file:
+            try:
+                data = json.loads(line)
+                if (data['syscheck']['audit'] is not None and data['syscheck']['event'] == target_event):
+                    if (data['syscheck']['audit']['user']['id'] != ""
+                        and data['syscheck']['audit']['user']['name'] != ""
+                        and data['syscheck']['audit']['process']['id'] != ""
+                        and data['syscheck']['audit']['process']['name'] != ""
+                        ):
+                        alerts_list.append(data)
+            except ValueError:
+                continue
+            except KeyError:
+                continue
+    return set([alerts['syscheck']['path'] for alerts in alerts_list])
 
 def main():
     logging.basicConfig(
@@ -87,14 +112,20 @@ def main():
         parser.add_argument("-r", "--retry", type=int, required=False, dest='retry_count',
                             help="reading attempts on stopped alerts. default: 4 attemps",
                             default="4")
+        parser.add_argument("-w", "--whodata", type=bool, required=False, dest='whodata_check',
+                            help="Enable Whodata alert's parsing.",
+                            default="false")
         args = parser.parse_args()
 
         import time
 
         stuck_alerts = 0
 
         paths_list_set = paths_acquisition(args.input_file)
-        pruned_alerts_set = alerts_prune(args.log_json_path, args.event)
+        if (args.whodata_check is not None and args.whodata_check):
+            pruned_alerts_set = alerts_prune_whodata(args.log_json_path, args.event)
+        else:
+            pruned_alerts_set = alerts_prune(args.log_json_path, args.event)
         sub_paths = paths_list_set - pruned_alerts_set
         prev_lenght = len(sub_paths)
         start = time.time()

tests/system/fim/scenarios/203_whodata_frequency/actions/install_whodata.yml

@@ -0,0 +1,7 @@
+---
+  - name: Install Audit | Linux
+    package:
+      name: audit
+      state: present
+    when:
+      - inventory_hostname in groups['linuxagents']

tests/system/fim/scenarios/203_whodata_frequency/config/agent_linux_ossec.conf

@@ -0,0 +1,209 @@
+<!--
+  Wazuh - Agent - Default configuration
+  More info at: https://documentation.wazuh.com
+  Mailing list: https://groups.google.com/forum/#!forum/wazuh
+-->
+
+<ossec_config>
+  <client>
+    <server>
+      <address>172.16.0.111</address>
+      <port>1514</port>
+      <protocol>udp</protocol>
+    </server>
+    <config-profile>linux_system_tests</config-profile>
+    <notify_time>10</notify_time>
+    <time-reconnect>60</time-reconnect>
+    <auto_restart>yes</auto_restart>
+    <crypto_method>aes</crypto_method>
+  </client>
+
+  <client_buffer>
+    <!-- Agent buffer options -->
+    <disabled>no</disabled>
+    <queue_size>15000</queue_size>
+    <events_per_second>500</events_per_second>
+  </client_buffer>
+
+  <!-- Policy monitoring -->
+  <rootcheck>
+    <disabled>no</disabled>
+    <check_files>yes</check_files>
+    <check_trojans>yes</check_trojans>
+    <check_dev>yes</check_dev>
+    <check_sys>yes</check_sys>
+    <check_pids>yes</check_pids>
+    <check_ports>yes</check_ports>
+    <check_if>yes</check_if>
+
+    <!-- Frequency that rootcheck is executed - every 12 hours -->
+    <frequency>43200</frequency>
+
+    <rootkit_files>/var/ossec/etc/shared/rootkit_files.txt</rootkit_files>
+    <rootkit_trojans>/var/ossec/etc/shared/rootkit_trojans.txt</rootkit_trojans>
+
+    <skip_nfs>yes</skip_nfs>
+  </rootcheck>
+
+  <wodle name="open-scap">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+  </wodle>
+
+  <wodle name="cis-cat">
+    <disabled>yes</disabled>
+    <timeout>1800</timeout>
+    <interval>1d</interval>
+    <scan-on-start>yes</scan-on-start>
+
+    <java_path>wodles/java</java_path>
+    <ciscat_path>wodles/ciscat</ciscat_path>
+  </wodle>
+
+  <!-- Osquery integration -->
+  <wodle name="osquery">
+    <disabled>yes</disabled>
+    <run_daemon>yes</run_daemon>
+    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
+    <config_path>/etc/osquery/osquery.conf</config_path>
+    <add_labels>yes</add_labels>
+  </wodle>
+
+  <!-- System inventory -->
+  <wodle name="syscollector">
+    <disabled>no</disabled>
+    <interval>1h</interval>
+    <scan_on_start>yes</scan_on_start>
+    <hardware>yes</hardware>
+    <os>yes</os>
+    <network>yes</network>
+    <packages>yes</packages>
+    <ports all="no">yes</ports>
+    <processes>yes</processes>
+  </wodle>
+
+  <sca>
+    <enabled>yes</enabled>
+    <scan_on_start>yes</scan_on_start>
+    <interval>12h</interval>
+    <skip_nfs>yes</skip_nfs>
+  </sca>
+
+
+  <!-- File integrity monitoring -->
+  <syscheck>
+    <disabled>no</disabled>
+
+    <!-- Frequency that syscheck is executed default every 12 hours -->
+    <frequency>43200</frequency>
+
+    <scan_on_start>yes</scan_on_start>
+
+    <!-- Directories to check  (perform all possible verifications) -->
+    <directories>/etc,/usr/bin,/usr/sbin</directories>
+    <directories>/bin,/sbin,/boot</directories>
+    <!-- Whodata options -->
+    <directories check_all="yes" whodata="yes">/opt/fim_testing</directories>
+
+    <!-- Files/directories to ignore -->
+    <ignore>/etc/mtab</ignore>
+    <ignore>/etc/hosts.deny</ignore>
+    <ignore>/etc/mail/statistics</ignore>
+    <ignore>/etc/random-seed</ignore>
+    <ignore>/etc/random.seed</ignore>
+    <ignore>/etc/adjtime</ignore>
+    <ignore>/etc/httpd/logs</ignore>
+    <ignore>/etc/utmpx</ignore>
+    <ignore>/etc/wtmpx</ignore>
+    <ignore>/etc/cups/certs</ignore>
+    <ignore>/etc/dumpdates</ignore>
+    <ignore>/etc/svc/volatile</ignore>
+
+    <!-- File types to ignore -->
+    <ignore type="sregex">.log$|.swp$</ignore>
+
+    <!-- Check the file, but never compute the diff -->
+    <nodiff>/etc/ssl/private.key</nodiff>
+
+    <skip_nfs>yes</skip_nfs>
+    <skip_dev>yes</skip_dev>
+    <skip_proc>yes</skip_proc>
+    <skip_sys>yes</skip_sys>
+
+    <!-- Nice value for Syscheck process -->
+    <process_priority>10</process_priority>
+
+    <!-- Maximum output throughput -->
+    <max_eps>200</max_eps>
+
+    <!-- Database synchronization settings -->
+    <synchronization>
+      <enabled>yes</enabled>
+      <interval>5m</interval>
+      <max_interval>1h</max_interval>
+    </synchronization>
+  </syscheck>
+
+  <!-- Log analysis -->
+  <localfile>
+    <log_format>command</log_format>
+    <command>df -P</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
+    <alias>netstat listening ports</alias>
+    <frequency>360</frequency>
+  </localfile>
+
+  <localfile>
+    <log_format>full_command</log_format>
+    <command>last -n 20</command>
+    <frequency>360</frequency>
+  </localfile>
+
+  <!-- Active response -->
+  <active-response>
+    <disabled>no</disabled>
+    <ca_store>/var/ossec/etc/wpk_root.pem</ca_store>
+    <ca_verification>yes</ca_verification>
+  </active-response>
+
+  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
+  <logging>
+    <log_format>plain</log_format>
+  </logging>
+
+</ossec_config>
+
+<ossec_config>
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/ossec/logs/active-responses.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/auth.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/syslog</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/dpkg.log</location>
+  </localfile>
+
+  <localfile>
+    <log_format>syslog</log_format>
+    <location>/var/log/kern.log</location>
+  </localfile>
+
+</ossec_config>